Why Disempowering Internal Auditors is like Stabbing yourself in the Eye
By Mikhail Ben Rabah, CIA, CFE, CRMA
Government Audit Manager, Presidency of the Government, Tunisia.
You may receive them warmly and friendly in your office with a big smile on your face but you will most probably fail to hide your embarrassment. You will keep your eyes fixed on your desk clock waiting for the end of the interview. Do not worry, internal auditors got used to it. Unless you do not cooperate or your behavior leads to a serious limitation to their work, they will leave you in peace once the job done. In fact, they do not expect you to show empathy for them. Their main concern shall remain performing the audit assignment as intended whatever you feel about it.
They likely try to convince you that internal audit activity is insightful, proactive, future-based and designed to add value and improve your organization’s operations. They will never miss an opportunity to persuade you how much they value and adhere to the professional standards, the code of ethics, the audit charter …etc. Nevertheless, you will still feel uncomfortable with these enigmatic individuals keeping watching you all time.
Although internal auditors do know they are the most unpopular employees in the organization, they will keep carrying out their activities as intended as long as their independence and objectivity are not impaired and their position, authority and responsibility are well defined.
However, things will get worse when the “tone at the top” starts dropping the internal audit activity and phasing out its scope of work.
Professional Institutions such as The Institute of Internal Auditors worked tirelessly for decades to promote the profession and build awareness of the value of internal auditing. However, the reality is often quite different. It depends on organizations’ culture, complexity and the maturity level of governance, risk and control (GRC) processes. Unfortunately, a large number of internal audit departments, both in private and public sectors are still struggling to impose their existence especially in developing countries.
Many studies have shown that five major reasons lead most probably to marginalization of the internal audit activity and isolation of internal auditors in their silos.
1-There is no an Audit Committee or there is one but Ineffective.
The most important function of an audit committee is to promote the independence of the internal and external auditors by protecting them from management’s influence. The internal audit activity largely derives its empowerment from an effective audit committee vested with the authority to oversee the internal audit group, approve the audit charter and the budget, hire the chief audit executive (CAE) and makes appropriate inquiries of management to determine whether audit scope or budgetary limitations impede the ability of the internal audit activity to meet its responsibilities.
Absence of an audit committee or failure to implement an effective one deprives auditors of the most valuable advocate they can have and exposes the organization to high risks.
This situation is especially common when local laws are lax in implementation of audit committees or in determining related requirements. For instance, the Sarbanes-Oxley act of 2002 (SOX) passed by the American Congress has emphasized the role of audit committees in publicly held companies and largely contributes to the enhancement of the internal audit activity.
2-The Audit Charter fails to create a common understanding of internal audit activity objectives and responsibilities.
The audit charter is defined according to the IIA attribute standard 1000 as a formal document that defines the internal audit activity’s purpose, authority, responsibility and establishes its position within the organization. The audit charter is created through a discussion process among the CAE, senior management and the board leading to a mutual agreement upon internal audit objectives and responsibilities, the expectations for the internal audit activity, the CAE’s functional and administrative reporting lines and the level of authority required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities.
Hence, if the audit charter fails to create a common understanding and a mutual agreement upon internal audit activity objectives and responsibilities or was sloppy drafted, internal auditors are likely to navigate by sight and face serious barriers in determining their work scope or in accessing records, personnel, and physical properties.
3-The organization has an impoverished culture and its officials are highly involved in fraud and corruption.
Organizations that fail to establish an ethical culture and a strong “tone at the tope” are the most vulnerable to all fraud schemes.
When managers and subordinates embark on widespread corruption, chances of survival for internal auditors are minimal. The only rescuers will be the “parent” (owners of the company) who to save their interests, will be forced to hire a competent and honest board of directors with the main task to appoint a proficient CEO able to lead a drastic change.
The situation is quite different in the public sector. The Government may be careless about internal audit activity’s role and not effective in fighting corruption especially when accountability is not one of its main concerns. This is often the case in autocratic regimes and less mature democracies. In such a context, public internal auditors will not be rescued right away.
In both cases, the upper management will do everything possible to limit the internal audit activity scope and cut its budget, restrict access to resources and in general terms impede internal auditors’ work. Obviously, this will be easier in the absence of an effective audit committee or other similar oversight body.
4-But it can be the Internal Auditors’ Fault.
The marginalization or the disempowerment of the internal audit activity in an organization is not always others’ fault. Internal auditors are sometimes responsible of this situation and cannot always blame others for their condition.
The internal audit activity may fail to fulfill its responsibilities like any other function in the organization. The IIA released in April 2009 a Practice Advisory (PA 2120-2, Managing the Risk of the Internal Audit Activity) which clearly states that internal audit activity is not immune to risk. The Practice Advisory categorizes internal audit activity risks into three broad categories: audit failure, false assurance, and reputation risks. It detailed how internal audit failures can jeopardize and even ruin the audit department reputation and expose the organization to significant risk.
Thereupon, the Practice Advisory specifies that “the credible reputation of an internal audit activity is an essential part of its effectiveness. Internal audit activities that are viewed with high regard are able to attract talented professionals and are highly valued by their organizations. Maintaining a strong “brand” is paramount to the internal audit activities’ success and ability to contribute to the organization. In most cases, the internal audit activity’s brand has been built over several years through consistent, high quality work. Unfortunately, this brand can be destroyed instantly by one high profile, adverse event”.
Moreover, the internal audit department should establish audit key performance indicators and communicate its performance measurements to senior management and the board on a regular basis. The IIA Practice Guide, “Measuring Internal Audit Effectiveness and Efficiency” states that establishing performance measures is critical in determining whether an audit activity is meeting its objectives, consistent with the highest quality practices and standards. This is essential to provide assurance to senior management and the board on the effectiveness and efficiency of the internal audit activity and therefore to reinforce its reputation and position within the organization.
Besides, in a continuous changing world, the internal audit activity may fail to deal with new business challenges and cope with the rapid technological progress.
Hence, internal auditors can involuntarily put themselves in such a bad position and loose the privileged position they have been in. It is primarily their responsibility to remedy this situation.
5-The Internal Audit activity is effective and efficient but fails to promote its outcomes.
Internal auditors have worked for a long time discreetly out of sight of others. They do not feel comfortable when we talk much about them. This is a common mistake. Like any activity in the organization, internal audit activity should promote the work done and demonstrates how it contributes to the improvement of the organization’s governance, risk and control processes. Stakeholders can notice improvements in management effectiveness and efficiency without necessarily relating them to the value added by internal auditors’ work.
Is the “Tone at the Top” the cure for all ills?
Recent researches have emphasized the fact that the “tone at the top” and the strong commitment of senior management and the board to the continuous improvement of governance, risk and control processes are prerequisites for the success of any organization.
As well as the “tone at the top” may be considered as a prior condition to an effective and efficient internal audit activity, internal auditors have a key role in assessing the organization’s culture and pushing the board and senior management towards a beneficial change. It’s a loop.
So, is the “tone at the top” the cure for all ills? It could be but not all managers and decision makers are willing to go through this. Many organizations have opted for a drastic change of their governance model only after a painful failure. Sometimes nothing is worth as a business downfall to push managers recognizing mistakes they made and standing up for change. People and organizations often learn better from their mistakes. However, this is generally applicable to the private sector while in public sector, things are more complex especially in an environment that lacks accountability. Public internal auditors could keep trying to advocate their profession but, in most cases, it would not be enough. Once again, degradation of public services and public finances will most probably lead the public to express great concern and confusion about how governments are functioning and not always in a peaceable manner.
Dear CEOs, senior managers, decision-makers, act before it’s too late. That day you may realize how precious could internal auditors have been to make your organization avoid the worst.
Disempowering internal auditors is like stabbing yourself in the eye.
- Shall internal auditors be prepared to “Metaverse”? - November 6, 2021
- Overzealousness, a Threat to Auditors’ Objectivity? - January 19, 2021
- How Worthy Time Management is in Internal Auditing - December 28, 2020
Interesting Mikhail, thank you, and regarding your final point I agree that it’s a shame but reality that sometimes organisations need failure to shake up the status quo and drive positive change. I can see the failure you describe is from a position of comfort when ‘the top’ are feeling safe and secure, earning enough by fair means or foul, and so not particularly interested in innovation and improvement. That’s a different and more catastrophic failure than the daily set backs we get when pushing the boundaries to continuously improve. Every success to you Mikhail.